Judge Koh Dismisses the Bulk of the Yahoo Email Scanning Class Action

Plaintiffs are non-Yahoo email users who sent messages to Yahoo users. They allege that Yahoo’s email scans violate federal and state wiretapping laws and invade their privacy.

ECPA: This claim alleges that Yahoo “intercepts” the emails. ECPA is subject to two exemptions as relevant here. First, it’s a one-party consent statute; the consent of one of the parties is a defense. Second, interception must occur through a device, and the definition of device excludes the equipment used to transmit the message when used in its ordinary course.

Yahoo argued that there’s no interception because the emails were scanned when they were in Yahoo’s servers and thus in temporary storage, not in transit. The court says this argument is premature at the motion to dismiss stage and credits plaintiffs’ contrary allegation in their pleading.

While the court does not accept Yahoo’s argument about the nature of the interception or access at this stage, the court does agree with Yahoo’s argument that the terms of service supplies it with the necessary consent (i.e., Yahoo users agree to the terms of service and their consent is sufficient to defeat ECPA claims asserted by non-users who sent emails to Yahoo users). The court says that Yahoo’s contract formation process is relatively leakproof, in the sense that you have to click “I agree” in order to create an account, and that the “Yahoo Global Additional Terms of Service for Yahoo Mail and Messenger” adequately apprise users that their email is being scanned:

Plaintiffs argued that the language was not specific enough and that aspects of Yahoo’s conduct were not adequately described in the terms. The only point that gives the court pause is whether Yahoo’s disclosure makes clear that it stores content from emails for future use, and the court says this would be clear to an average user. Although Yahoo changed the language slightly to make clear it stored the emails, the court says even the previous language is sufficient:

The reasonable user would know that “scanning and analyzing” requires Yahoo to collect and store the email content. In other words, the Court finds it implausible that users did not – after agreeing, based on the ATOS, to Yahoo’s scanning and analysis of emails – realize that in order to engage in analysis of emails, Yahoo would have to store the emails…

The court similarly rejects plaintiffs claims about ambiguity within Yahoo’s terms about what types of “future use” Yahoo may engage in. (The court does grant leave to amend.) Ultimately, Yahoo’s terms of service supply it with a very useful consent argument against wiretapping claims.

SCA: Plaintiffs conceded that Yahoo had immunity for access to the emails since it was the service provider with respect to those emails, but they alleged that Yahoo improperly disclosed the contents of the emails to Yahoo’s partners and service providers in the advertising chain. While plaintiffs’ allegations are not very precise as to exactly what was disclosed, the court says they are sufficient (barely) under Twombly. The net result here is that the complaint squeaks by on the allegation that Yahoo improperly disclosed the “contents” of the emails, but plaintiff will have to develop facts and allegations around this down the road.

Interestingly, the disclosure allegations were premised partially on language contained in Yahoo’s own privacy policy, as well as a FAQ saying Yahoo may anonymously share “specific objects from a message with a 3rd party to provide a more relevant experience.” As an example, the FAQ mentioned that Yahoo may share “package tracking number with a shipping company” or may “share your flight number with your airline to enable flight notifications within your inbox.” Judge Koh cites both of these as plausible examples of improper disclosures.

Yahoo raised a consent argument to the SCA claims as well, but Judge Koh says it wasn’t raised in Yahoo’s initial round of briefing so she declines to consider it.

California Invasion of Privacy Act: Yahoo argued again that the emails were not in transit and they were in storage and thus there was no interception while in transit. It also raised a preemption argument, saying that ECPA preempts the California statute if the California statute applies to emails that have already reached the provider’s servers. The court rejects both arguments and says that it must accept as true plaintiffs’ allegations that the emails were intercepted while in transit. The court declines to dismiss this claim.

California Constitution: The court dismisses this claim because plaintiffs didn’t allege that any specific, private, confidential information was accessed or disclosed. The generic access by Yahoo of emails is closer to typical commercial behavior than something outrageous. Many cases have held that routine access to information does not trigger a cause of action under the California constitution:

Plaintiffs do not cite, nor has this Court found, any case in the California or federal courts holding that individuals have a legally protected privacy interest or reasonable expectation of privacy in emails generally.

(See also Miller v. Meyers.) That said, the court grants leave to amend so that plaintiffs can show that the access or disclosure of specific emails or contents of emails was sufficiently egregious to warrant recognition of a claim.

__

This is a classic Judge Koh ruling. It holds the plaintiffs’ complaint up to detailed scrutiny, yet occasionally gives plaintiffs the benefit of the doubt. I don’t know if either side will be particularly happy with this result. On balance, it’s more helpful to Yahoo than to the plaintiffs. Whether or not this case turns into a big issue for Yahoo depends on what happens down the road. The Gmail scanning lawsuit started off with a bang, but fizzled out after Judge Koh refused to certify the class (this resulted in a chunk of it being settled). (See “Google Settles Portion Of Lawsuit About Gmail Ads”.)

Yahoo’s consent argument fares better than Google’s consent argument in the Gmail scanning case. That’s probably a result of Yahoo’s user agreement language being clearer, but it’s also possible Judge Koh got slightly more comfortable with the idea that consent can come via a terms of service. Whether a particular user consented was treated as a factually contested issue in the Gmail case; but here, the court looks at the language, decides what a reasonable consumer would understand, and makes a decision. Interestingly, treating consent as a fact-specific issue in the Gmail case was a barrier to initial dismissal of the case, but ultimately had a defense-friendly byproduct of precluding class certification.

So, what happens next is some procedural wrangling around plaintiffs’ efforts to amend their complaint and seek discovery, and Yahoo’s attempts to defeat class certification. The denial of a motion to dismiss a putative class action has not been a lottery ticket for plaintiffs. A slew of lawsuits have been defeated both at class certification and even at the summary judgment stage. The ruling already flags a key issue that could be resolved in Yahoo’s favor after factual development (whether Yahoo’s scanning technology accesses emails only after they were on Yahoo’s servers, or whether they were intercepted in transit). This would leave a small portion of the lawsuit, dealing with disclosure of the intimate or particularly confidential details from emails to third parties and whether this amounts to a violation of rights under the California constitution. The consent argument could be useful to Yahoo against this claim as well.

There’s also a core question lurking in the background, which is whether Yahoo’s disclosure and use of email contents, on a totally anonymized basis or by algorithm to target advertising, constitutes a violation of the statute. Does a disclosure have to identify a specific person, or does a human have to read or have access to the contents of an email in order for Yahoo to violate the statute? The search disclosure and anonymization cases offer some interesting parallels in this regard. See also, Bruce Boyden: “Can a Computer Intercept Your Email” [pdf].

Perhaps we shouldn’t be so nonchalant about companies scanning our emails for advertising and optimization purposes. At a minimum, it probably desensitizes us to government surveillance. (Part Two of Frontline’s series on privacy made some interesting points about this: “Privacy Lost“. It’s well worth watching.) But this lawsuit shows how difficult it is to assert legal claims based on this practice.

[Eric’s comment: I see things 100% differently than Venkat’s last paragraph. To me, I don’t think email service providers desensitize us to government surveillance. Instead, I think chicken-scratch privacy lawsuits over private services that make our lives better (like tracking packages or flights) are a much more effective way to desensitize us to the disproportionately huge risks that we all face when the government intercepts our emails and surveils the people it’s supposed to protect.]

Note: there was one part of the court’s discussion that I wasn’t clear on, and this involved discussion in Yahoo’s privacy FAQ about the disclosure of “objects” such as flight or package information. It’s unclear if this is intended to flag to subscribers that such information is being exchanged with airlines and delivery companies, perhaps to facilitate alerts, or to flag to subscribers that this information when exchanged with non-subscribers is subject to disclosure. As menial as a package number may sound (and while it’s awfully nice of Yahoo to our lives easier by disclosing this information to a third party to obtain a specific delivery date), for most people, this is the sort of thing that they would prefer companies don’t take care of for them.